[cups.bugs] [MOD] STR #2974: potential int overflow in _cupsImageReadPNG()

Michael R Sweet msweet at apple.com
Fri Oct 17 09:52:39 PDT 2008


ilja wrote:
> I don't think that's correct.
> 
>   if (width == 0 || width > CUPS_IMAGE_MAX_WIDTH || <-- this one can be
> 2^27-1
>       height == 0 || height > CUPS_IMAGE_MAX_HEIGHT)  <-- this one can be
> 2^31-1
>   {
>     fprintf(stderr, "DEBUG: PNG image has invalid dimensions %ux%u!\n",
>             (unsigned)width, (unsigned)height);
>     fclose(fp);
>     return (1);
>   }
> ...
>   img->ysize = height;
> ...

OK, you're right.  Re-opening the bug...

The simple fix appears to be:

       if ((bufsize / (img->xsize * 3)) != img->ysize)


> --------- Oorspronkelijk bericht --------
> Van: cups-bugs at easysw.com
> Naar: ilja <ilja at netric.org>
> Cc: ilja <ilja at netric.org>, cups-bugs at easysw.com
> Onderwerp: Re: [MOD] STR #2974: potential int overflow in
> _cupsImageReadPNG()
> Datum: 17/10/08 08:55
> 
>>
>> [STR Closed w/o Resolution]
>>
>> The maximum dimensions of an image are 2^27-1, so it is impossible for
>> "img->ysize * 3" to overflow a 32-bit integer.  See the range
> checks prior
>> to the buffer size check...
>>
>> Link: http://www.cups.org/str.php?L2974
>> Version: 1.3.9
>> Fix Version: None
>>
>>
> 
> 
> _______________________________________________
> cups-bugs mailing list
> cups-bugs at easysw.com
> http://lists.easysw.com/mailman/listinfo/cups-bugs


-- 
______________________________________________________________________
Michael R Sweet                        Senior Printing System Engineer





More information about the cups mailing list